from the the-hidden-war dept

Update: Gizmodo is calling bullshit on these claims. They're likely correct that this attack was not a "threat" to the overall internet, but I also believe that Gizmodo is underplaying the potential problems from open resolvers.

We've known for a while that there are a number of people out there who really dislike Spamhaus, one of the more well known providers of a blacklist of spam IP addresses. For what it's worth, there are times when it feels like Spamhaus may go overboard in declaring an IP or range of IP addresses as spammers. And, to some extent, because of that, it seems like some who use the Spamhaus list rely on it a bit too strongly. That said, Spamhaus is doing important work in helping to stop the internet from being overrun with spam, and that's a good thing. But sometimes those who it pisses off aren't particularly nice people. Last week, Spamhaus added hosting company Cyberbunker to its spamlist. Someone didn't like that very much, and thus began a very big DDoS attack using open DNS recursors. Spamhaus went to Cloudflare, who was able to mitigate the worst of the attack.

But... that just lead to round two, in which whoever was behind the DDoS went much, much bigger attacking a bunch of the providers who provide Cloudflare with its bandwidth. Basically, it was massive firepower directed at some key points on the internet. And it was a pretty big deal. Cloudflare's blog post stays away from getting too expressive about the whole thing, but just the fact that they note the attack came close to "breaking" the internet should get you to wake up.

Tier 1 networks don't buy bandwidth from anyone, so the majority of the weight of the attack ended up being carried by them. While we don't have direct visibility into the traffic loads they saw, we have been told by one major Tier 1 provider that they saw more than 300Gbps of attack traffic related to this attack. That would make this attack one of the largest ever reported.

The challenge with attacks at this scale is they risk overwhelming the systems that link together the Internet itself. The largest routers that you can buy have, at most, 100Gbps ports. It is possible to bond more than one of these ports together to create capacity that is greater than 100Gbps however, at some point, there are limits to how much these routers can handle. If that limit is exceeded then the network becomes congested and slows down.

Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.

Questioned about the attacks, Sven Olaf Kamphuis, an Internet activist who said he was a spokesman for the attackers, said in an online message that, "We are aware that this is one of the largest DDoS attacks the world had publicly seen." Mr. Kamphuis said Cyberbunker was retaliating against Spamhaus for "abusing their influence."

"Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet," Mr. Kamphuis said. "They worked themselves into that position by pretending to fight spam."

Of course, all of this has exposed clearly a big vulnerability in the setup of the internet, and suggest that slowing down the internet on a large scale is entirely possible. But it's also made security folks that much more aware of how urgent it is to fix the a key vulnerability that made this possible: the fact that there are so many open DNS resolvers out there, that can be used to launch massive DDoS attacks. Because of that, security folks are rushing around to see if they can convince people to close as many of the approximately 21.7 million open resolvers out there:

While lists of open recursors have been passed around on network security lists for the last few years, on Monday the full extent of the problem was, for the first time, made public. The Open Resolver Project made available the full list of the 21.7 million open resolvers online in an effort to shut them down.

We'd debated doing the same thing ourselves for some time but worried about the collateral damage of what would happen if such a list fell into the hands of the bad guys. The last five days have made clear that the bad guys have the list of open resolvers and they are getting increasingly brazen in the attacks they are willing to launch. We are in full support of the Open Resolver Project and believe it is incumbent on all network providers to work with their customers to close any open resolvers running on their networks.

Basically, over the last week or so, there's been a war going on, concerning parts of the core of the internet, and while it might not have impacted you yet (or, maybe it did), it's likely that the next round will be even bigger. In the meantime, the race is on to shut down open resolvers to try to keep the internet working, and hopefully to cut down on the power of such attacks.

from the urls-we-dig-up dept

Carbon capture and sequestration (CCS) efforts are an important part in the mitigation of global warming, but unfortunately, progress has been rather slow, and at its current pace, the world won't be able to meet climate change targets by 2020. There are only eight active CCS projects worldwide right now, and most of them involve pumping waste carbon dioxide down into oil wells to flush out hard-to-reach crude oil, while also storing 23 million tons of carbon dioxide underground each year. Here are a few other CCS ideas.

from the a-troll's-gotta-troll dept

For many years, even as people correctly noted that Intellectual Ventures was perhaps the world's biggest patent trolling operation, the company insisted that it shouldn't be called a troll, in part because it hadn't actually sued anyone. That was misleading for a variety of reasons, with the biggest one being the war chest behind IV and the implicit threat of lawsuits certainly got plenty of companies to cough up huge sums to avoid them. While IV has ridiculously strict nondisclosure agreements, various leaks have suggested companies often pay hundreds of millions of dollars to Intellectual Ventures... for nothing. All they really get is a promise not to be sued and the potential to dip into IV's big database of mostly useless patents, which the paying companies can then use to sue others. Overall, Intellectual Ventures admits that it has brought in over $2 billion dollars directly from licensing and another $5 billion in "investments" -- some of which came from companies "buying in." What a racket, huh?

Back in 2010, the company finally filed its first lawsuits. Since then it's continued filing lawsuits on an irregular basis. 2011 was a big year, with sudden bursts of lawsuits in July, September and October. 2012 had fewer lawsuits, and just small blasts in February and May. However, it looks like IV may be ramping up with the lawsuits again. IV filed three in February (one against Windstream and a few small telcos, one against CenturyLink, Qwest, Embarq, Savvis & CenturyTel, and one against AT&T and various subsidiaries). However, in the last week or so, it's filed three more lawsuits. First against Symantec, then against Toshiba, and the latest against Canon and Ricoh.

The latest one claims that Canon and Ricoh -- two companies, I should remind you, who actually produce printers and actually add value to the world by making products -- are apparently violating some IV patents which have to do with printing. They claim that Canon (whom they've sued before) infringes on nine patents and Ricoh infringes on seven.

So, let's ask a simple question: what has Intellectual Ventures contributed to the world of printing?

We'll wait.

Okay, it was a trick question: the answer is absolutely nothing. No printer company in the world has relied on some great breakthrough from Intellectual Ventures, nor have they relied on the insight gleaned from a crappy patent that IV bought at some point. No, printer companies have built and innovated based on their experience in the marketplace selling printers. Intellectual Ventures is simply trolling and taking away from actual innovators.

Since our founding, IV has efficiently and effectively identified strong patents covering significant and relevant inventions, purchased those patents, and marketed and licensed them to companies who need them. A properly functioning patent system is the foundation of IV's business model, along with the sensible notion that a fair price must be paid for use of a patented invention.

Almost nothing in that paragraph is accurate. IV started out by buying up patents, en masse, from various universities' "tech transfer offices" after those universities spent big time setting up those offices, thinking it would bring in lots of cash. Then no one wanted those patents (at least not at the ridiculous prices offered) and for nearly every single university tech transfer office they suddenly became seen as a cost center, rather than a profit center as planned. Enter IV with a giant war chest, agreeing to buy up tons of crappy patents that no one else valued or wanted, on the cheap, and suddenly tech transfer offices can aggregate a bunch of patents and show some money coming in. IV has never, ever been about "identifying strong patents." It has always been about finding enough patents they can use to pressure companies into giving them money. IV's entire business model, from the beginning was built on exploiting a clearly broken patent system by a group of folks who had a history with the system.

As for a "fair price," a fair price is what someone in the market is willing to pay for a product. Not what IV gets by bullying companies. IV has tens of thousands of patents. We've yet to find a single one that was a key breakthrough which companies relied on to move innovation forward. Because they don't have any such patents.

Patent infringement, however, continues to be a problem and the patent system cannot work as intended if infringement goes unchecked. When sophisticated companies turn a blind eye to infringement, we are forced to take action to safeguard the value of our patents and to protect the interests of our investors and customers. Infringers need to pay for the inventions they are using. An issued patent provides rights to the patent owner and when these rights are ignored, it impairs the incentives that spur invention and poses a real threat to innovation

That entire paragraph might make sense if the patents in question were (a) unique, clearly defined and definitive breakthroughs and (b) were the main reason why other companies produced the products they did. However, since (as far as we can tell) every single situation in which IV has sued a company has been because of independent invention by actual practitioners in the field doing what the market asks for, and the patent in question has nothing to do with the actual innovation, it's not just wrong to suggest that "infringers need to pay," it's a gleeful cheering on of a shakedown.

Finally, the idea that when patent owners don't sue it somehow "impairs the incentives that spur invention and pose a real threat to innovation" has simply no basis in any reality-based discussion. The problem with the patent system today is the fact that broad and vague patents are being asserted against obvious innovations in the market place. That is putting a massive tollbooth on innovation.

We enter into litigation after careful deliberation and a thorough analysis of the patents we own and the products we believe to be infringing. The actions we take to protect our rights are with established, patent savvy technology companies – not start-ups – and we have reached settlements for significant amounts. In other words, our patent portfolios are being recognized for their validity and relevance to current industries and key technologies.

IV does not enter litigation lightly, and our actions are not frivolous. Asserting our rights is something IV, and any patent owner must do, when their patents are being used without license.

Shorter version of this paragraph: look we only shakedown big companies with big bank accounts. The fact that some of them are willing to pay does not mean the patents are recognized for their "validity." It means that big companies can do the math on the cost of fighting IV in court, and recognize it's cheaper to pay up than deal with the mess. IV may not enter into litigation lightly, but it's abusing the system, taking billions of dollars out of actual innovation and is the perfect example of everything that's wrong with the patent system.

from the and-hopefully,-head-off-further-damaging-CFAA-precedent dept

Andrew "Weev" Auernheimer is appealing his 41 month prison sentence (and its accompanying fine of $73,000). Many members of the security community have expressed concern with this ruling, especially in light of other CFAA cases. Auernheimer's exposure of AT&T's security hole doesn't really seem like the sort of thing that should be punished, at least not with multiple years in jail and a hefty fine. Then there's the unsettling feeling that the US prosecutors pushed hard for a prison sentence because they found Weev unlikable.

Fortunately for Weev (and others who have or will run afoul of the CFAA), Orin Kerr has stepped up to offer pro bono representation in Auernheimer's appeal (along with members of the EFF). Kerr, most recently spotted here going head-to-jackass with Rep. Gohmert over the legality of "destroying" a hacker's computer, has a very thorough post discussing his reasons for joining the fray. Basically, it boils down to this: nearly everything about the government's decision is wrong, which is problematic if this ruling is going to be used as precedent in future CFAA cases.

In the government’s view, visiting the URLs was an unauthorized access of AT&T’s website. But I think that’s wrong. At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an “unprotected website” that is “open to the public.” The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access. If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them.

According to Kerr, undesirable access does not equal unauthorized access. The URLs were publicly available due to AT&T's own carelessness. What this actually looks like is the vindictive pursuit of an individual for publicly embarrassing the company. But it's not all on AT&T. The prosecutors themselves had to do a bit of creative sentencing to arrive at a "suitable" punishment for Weev's "hack."

Unauthorized access is ordinarily a misdemeanor. Why is this crime a felony? Here’s the government’s remarkable theory. All 50 states have state unauthorized access computer crime statutes similar to the federal unauthorized access statute. The government’s theory is that this overlap turns essentially all federal CFAA misdemeanors into federal felonies. They rely on 18 U.S.C. 1030(C)(2)(B)(ii), which states that a misdemeanor unauthorized access becomes a felony when it is “in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” The government argues that the existence of state unauthorized access crimes transform unauthorized access misdemeanor crimes into felonies: The overlap means that every federal unauthorized access crime is a federal crime “in furtherance of” the analogous state crime.

As Kerr states, this is nothing more than disingenuous double-counting being done for no other reason than to make the charges carry some weight. A misdemeanor results in a slap on the wrist, something that would hardly make AT&T happy. This isn't Kerr's (or the government's) first experience with hacking-related double-counting.

Back in 2011, Sarah Palin's email account was hacked and the Justice Department attempted to charge the hacker under two overlapping laws: "hacking into a computer" and "hacking an email account." This was overturned on appeal by the Fourth Circuit court, stating that the Justice Department's attempt to double dip a single action violated US principles on double jeopardy. This situation is more of the same, only with a convenient overlap of federal and state laws allowing prosecutors to ratchet up the charges from a misdemeanor to a full-blown felony.

In addition to these problems, Kerr also finds some jurisdictional issues at play. Even though none of the principals are located in New Jersey, the charges were brought in that state. The rationale? Some of the email addresses belonged to New Jersey residents. This paper-thin justification for filing charges in a pretty much unrelated state gives the appearance of prosecutorial venue shopping.

The most ridiculous aspect of the case is Kerr's final reason for stepping in: the sentence.

The largest part of Auernheimer’s sentence was due to an alleged $73,000 in loss suffered by AT&T. Under the provisions of the Sentencing Guidelines associated with 18 U.S.C. 1030, sentences are based primarily on the amount of loss caused by the crime. More dollar loss to the victim means more time in prison for the defendant.

AT&T claims it incurred costs of $73,000 due to Auernheimer's actions. But it claimed no loss to its computers, it suffered no downtime and lost no data. The only assertion of loss comes via AT&T's efforts to notify customers of the data breach.

First, AT&T notified its customers by e-mail. That was free, leading to a “cost” so far of zero. But then AT&T decided to follow-up the e-mail notification with paper letter notification, and the postage and paper costs amounted to about $73,000.

That's right. Auernheimer has to repay AT&T for envelopes and stamps with $73,000 of his own money -- and 3-1/2 years of his life. As Kerr points out, AT&T cannot reasonably pin this notification expense on Auernheimer as these costs are not "directly attributable" to the defendant's access of its supposedly off-limits URLs. Furthermore, Kerr says these costs are not "reasonable," considering AT&T's electronic notice to its customers was largely successful. In essence, Weev is doing time because he raided AT&T's petty cash box by proxy. Hopefully, this appeal will overturn this misguided sentence and prevent the CFAA from becoming an even worse law, thanks to the precedent set by this decision.

from the well,-look-at-that dept

Back when this hype about "cybersecurity" and "cyberwar" first started to hit the mainstream (early on, "cyberwar" was more common, but lately people focus on "cybersecurity"), we had an article which suggested that much of this really seemed to be about scaring up a panic for the sake of throwing money at defense contractors who wanted to charge crazy huge sums for "helping" with cybersecurity. And, as we noted, that push was leading to hundreds of millions of dollars in government contracts. It appears that, with cybersecurity FUD only getting bigger and bigger, the folks who are making out like bandits are all those defense contractors who are jumping in to fan the flames of FUD... and then taking our taxpayer money to "fix" the problem.

In that link above, they talk about Lockheed and Raytheon signing agreements with Homeland Security in which they get to "help" the government out by scanning email and other info collected by the NSA.

Under the program, critical infrastructure companies will pay the providers, which will use the classified information to block attacks before they reach the customers. The classified information involves suspect Web addresses, strings of characters, email sender names and the like.

None of this necessarily means that online attacks aren't a real threat... but I'd feel a lot more comfortable about where things were heading if there weren't a whole bunch of defense contractors gleefully rubbing their hands together as they scoop up more and more contracts while the FUD keeps spreading.

from the wtf dept

Just a few weeks ago, we had a story about how an awesome looking documentary about comic artists needed to hit up Kickstarter to raise more money solely to purchase licenses to some of the artwork & video clips in the film. Most of the copyright holders let them use the work for free, but a few were demanding payment -- often thousands of dollars for a single image or short clip. As we've noted, documentary filmmakers are scared to death of relying on fair use, because they don't want to get sued (and some insurance providers won't give you insurance if you plan to rely on fair use).

And, now, there's an even crazier example. Two huge fans of the cult favorite TV show, Arrested Development have made a documentary about the show, talking to a ton of people who created and acted in the show, as well as to a bunch of fans. Given that a new season (via Netflix) is quickly approaching, getting this documentary out would make sense. The film is finished according to the filmmakers. Done done done. So why are they asking Kickstarter for $20,053? Yup, you guessed it. Copyright licensing issues. And this time, it's really crazy:

After five years, we're finally close to releasing the documentary. Our final step is to pay the network for photos from the set of the show. These photos are extremely relevant to the story, and we can't move forward with the release of the documentary until our fees are paid to the network. This is where you come in. Help us pay the network fees so every Arrested fan can see this documentary!

Yes, photos from the set. And, "the network" in this case is 20th Century Fox. This seemed so ridiculous to me that I asked the filmmakers, Jeff Smith & Neil Lieberman, for the details, and they said that these are photos taken by a variety of people on set and that the people who took the photos gave them to Jeff & Neil willingly, but that "the network is claiming copyright." Just to be clear, Jeff & Neil don't have a problem with this, saying that they believe that this is "within the network's rights" to make that claim and they emphasized that Fox was giving them a "deep discount on the photos" and that it "could have been much worse" otherwise.

While it's great that the filmmakers are fine with this, it still seems quite troubling to me. Whoever took the photos in the first place would own the copyright on the basic photos themselves. This implies that Fox is claiming copyright on the set itself, which appears in the images (or, they're lying and claiming copyright on something they have no copyright on). And, yes, they could potentially claim copyright on the set -- but that doesn't make this any less crazy. Jeff & Neil would have a massively clear fair use argument if they were challenged on using these images. It is not as if the use of those images would somehow harm the "market" for "the set" itself (which is about all the network could possibly be claiming copyright on). It would obviously be a transformative use, and they'd just be displaying parts of the set. This is about as open and shut a fair use case as you could possibly imagine.

And, really, this is doubly ridiculous, because this documentary is only going to help promote the show more, not harm it in any way... oh wait. Fox no longer benefits from that because Fox cancelled the show and the new season is happening on Netflix instead... Perhaps that's what this is about. The cash from this Kickstarter could have gone into all sorts of actually useful things, including more marketing and promotions for the documentary (which does look great). But, instead, it's going into Fox's bank account, because Rupert Murdoch needs it more than two independent documentary filmmakers who were huge fans of the show. I thought copyright was supposed to be about helping filmmakers, not forcing them to waste $20,000+ dollars on a bogus copyright claim..

from the just-as-we-suspected dept

Back when the US was negotiating ACTA, we were among those who raised the alarm about just how troubling this trade agreement was -- negotiated in back rooms by the USTR, with details that were kept in secret until they were locked in. In response, many of our critics said that we were overreacting, since ACTA was merely an "executive agreement" which (1) could not bind Congress to anything and (2) would not require any changes to US law, so it was "no big deal." In fact, we were directly told that Congress would not feel bound by such things, so we should shut up with our "same tired arguments," which were nothing but a "chicken little mentality" based on "what ifs."

Of course, part of our very specific concern about ACTA was that even if it required no direct changes in law, it very clearly locked in existing problematic laws, making it much more difficult to fix those problems. And while it did not technically "bind" Congress, the second that anyone in Congress proposed a law that went against the international agreement, we'd hear screaming from the usual crew of copyright lobbyists about how Congress was doing the most horrible of horribles in "violating our international agreements." Of course, they'd leave out the fact that they wrote or heavily influenced those agreements as a way to directly route around Congress.

For all the claims of Chicken Littles and what ifs, in the last few weeks, the "hypothetical" situations we discussed have become very, very real, and have highlighted why it's so problematic that the USTR is including copyright and patent issues in international trade agreements. First, as we noted a few weeks ago, on the issue of phone unlocking, some existing US trade agreements have made it difficult to actually fix the issue. In particular, we named KORUS, the free trade agreement we signed with South Korea half a decade ago, which included a number of copyright provisions, pushed by the entertainment industry (who had flipped out because South Korea was one of the first countries blanketed in broadband). The end result of that, however, is that it would go against that agreement to actually fix the problem (as the White House claims it wants) of phone unlocking being illegal.

First of all, trade agreements don't dictate what laws Congress can and can't pass. If they're executive agreements, they can't override any laws passed by Congress in the past, and even if they're executed as treaties, they can be superseded by later acts of Congress. Just like Congress can pass a law that overrides an earlier law, it can pass a law that overrides an earlier treaty.

That's technically true, but the reality is not so easy. Soon after my post went up, I started hearing from people all over DC about this issue. In the past few weeks, in talking to numerous capitol hill staffers, as well as with a variety of others involved in the discussions, one thing has become clear: while some in Congress really wanted to do a comprehensive fix on unlocking, the realization that international agreements get in the way may have scuttled those plans entirely. They recognize that Siy is correct, and that Congress is not technically bound, but what becomes clear is that the political reality is, in fact, very different. Proposing a bill that goes against an international agreement is seen as a no-no and the political fight it would take to get that bill to actually do anything just probably isn't worth it.

So, there we have a very real and very tangible example of an agreement that technically didn't "change" our laws, now locking us in to a bad situation.

And... it could be even worse. For all the talk of how Congress isn't actually bound by the USTR's negotiations, it appears that someone forgot to tell that to certain members of the Supreme Court. When the Kirtsaeng case came out last week, the dissent, written by Justice Ginsburg, repeatedly cited international agreements for her interpretation of the law, even though those agreements aren't supposed to define or bind the law. John Bergmayer points out how wrong this is:

It is thus relevant that Justice Ginsburg writes, in dissenting from the majority opinion, that "[u]nlike the Court's holding, my position is consistent with the stance the United States has taken in international trade negotiations." But trade negotiators do not get to decide what the law is: Congress passes statutes and courts interpret them. The USTR is not part of this workflow. If trade negotiators have ever taken positions that are inconsistent with Kirtsaeng then those positions are now, and always have been contrary to US law. I would make a similar argument even if Kirtsaeng came out the other way: trade negotiators should not try to anticipate how contentious legal battles will turn out. They should steer clear of these areas entirely and allow the system to do its work.

So even though the law is clear that the USTR's secretive negotiations (often driven by the copyright industry) cannot actually make the law, even at least three Supreme Court justices seem confused on this point.

And it could get even worse. That's because with the still secretive TPP agreement, that is supposedly nearing completion, a look at what little leaked text there is on the issue of copyright shows that the TPP disagrees with the Kirtsaeng ruling and would require the US to kill off first sale rights on foreign made products to "meet our international obligations." The leaked text includes the following:

“Article 4(2). Each Party shall provide to authors, performers, and producers of phonograms the right to authorize or prohibit the importation into that Party’s territory of copies of the work, performance, or phonogram made without authorization, or made outside that Party’s territory with the authorization of the author, performer, or producer of the phonogram.”

And while the TPP is not yet in effect, Sean Flynn (at the link above) notes that some other free trade agreements negotiated by the USTR already have similar provisions. That's why Ginsburg was so concerned about our supposed "international obligations" in her dissent on Kirtsaeng. Since copyright lobbyists are already pushing to overturn the Supreme Court's ruling with new laws, you can bet that we'll soon be hearing claims that we need to do this to "meet our international obligations."

The point of all of this? The USTR shouldn't be involved, at all, in negotiating IP issues in any such international agreements. Not only is it antithetical to their stated purpose and despite the law being to the contrary, many in both Congress and the Supreme Court, really do feel that we are "bound" by those agreements, even if they were never approved by Congress and cover topics, such as copyright, which only Congress has the mandate to create and change. The "hypotheticals" we discussed around ACTA are no longer "what ifs," but are very real and should be a major concern.

With an attempt at real copyright reform on the table, the fact that the USTR may be seen (whether legally or not) as tying the hands of Congress should be reason enough to simply take those sections out of any and all trade agreements. They don't belong there and they're clearly causing significant problems for the public's best interests within the US. The USTR process is not transparent. It does not involve the public and is not responsive to the needs of voters. That Congress is then effectively unable to do such basic things as allowing the public to unlock their mobile phones (even at the White House's request) or to guarantee that we actually own what we've bought, show just how problematic the situation has become. A few people in Congress are now waking up to this fact, but too many are still oblivious. It's amazing that Congress has allowed the USTR to cut off its own power in this manner.

To fix this, the USTR needs to reject any language around intellectual property in any ongoing international agreements, and must look to pull that language out of earlier agreements. It just doesn't make any sense. Congress needs to assert itself, and let the USTR and the executive branch know that only it has say over copyright and patent laws, as per the Constitution. And, finally, if the White House truly believed what it said about mobile phone unlocking, it should order the USTR to reverse course -- and, as part of that, to start being much more transparent and responsive to the public as it negotiates any such agreements.

from the that's-just-silly dept

We're still a bit confused about why so many people freaked out a few years back when Google's Street View cars gobbled up some open WiFi data -- since anyone can do that on an open WiFi network. Various investigations did show that Google was a bit disorganized and had some poor controls in place, which perhaps meant that it should have caught the data collection sooner. So, if you think Google should be punished for that kind of thing, then the recent settlement with a group of state attorneys general perhaps made you happy.

That said, EFF is pointing out why the settlement is stupid -- not for Google, but for open WiFi and security. First, these technologically clueless attorneys general are requiring Google to create videos and ads promoting WiFi encryption... with a focus on old and bad standards like WEP, which is like saying you should be locking your front door with a cheap chain lock. It's a "lock," but one that could be broken by pretty much anyone in seconds.

Even worse, though, is that the settlement requires Google to push the message that the only way to protect yourself is to lock up your WiFi. But that's ridiculous. Open WiFi, by itself, is not a bad thing. Yes, unencrypted data could be exposed, but the better answer is to encrypt your data, such as by using a VPN. As EFF notes, end-to-end encryption is always going to make more sense than just encrypting your access point and hoping that keeps people out. And, yet, much of the settlement focuses on having Google push people to lock up their WiFi.

The solution to public surveillance problems should not involve discouraging people from providing public resources like open wireless, since this cuts against the general interest and takes away a common good. As we've explained elsewhere, wireless encryption provides few benefits compared to the much stronger end-to-end encryption, a technology that can thrive alongside environments with open wireless access. The settlement could have gone so much farther by educating people how to run open wireless networks safely and securely—for example, through open guest networks.

It is apparent that too little thought and analysis went into this settlement document, and, as a result, the requirements do the public a huge disservice by hurting the Open Wireless Movement.

Of course, this is the kind of thing you get when you let grandstanding politicians tell companies how they need to act concerning technology they don't understand.

from the take-a-stand dept

With academics increasingly fighting back against ridiculous academic journal publishing rules that lock up information, we've often wondered how academics who work for some of those journals feel. In one case, those academics have just made a very loud statement. The editor and entire editorial board for the Journal of Library Administration have all resigned en masse to protest the journal's closed access provisions, which they claim are "too restrictive and out of step with the expectations of authors." The editor, Damon Jaggers (also an associate university librarian at Columbia University) only became the editor recently, but noted that many authors he approached pushed back about the licensing terms.

Some found the terms too confusing, Mr. Jaggars said, while others felt they were too restrictive. Many requested, instead, a form of Creative Commons license, arguing that the journal’s agreement left them little ownership of their own work.

What may have pushed the editorial board over the edge, it seems, was the Aaron Swartz story. One of the editorial board members, Chris Bourg, who is an assistant university librarian at Stanford, published a blog post in which she directly cites the Swartz situation as making it clear she needed to resign:

Later, Damon asked me to write an article about our Library Concierge project for JLA, and again I said yes. When Damon contacted me later with an actual deadline for the article, I told him I was having second thoughts. It was just days after Aaron Swartz’ death, and I was having a crisis of conscience about publishing in a journal that was not open access. Damon reminded me (gently) that not only had I agreed to write for JLA, but I was on the Editorial Board, so this could be a problem. More importantly, he assured me that he was working with Taylor & Francis to try to get them to adopt less restrictive agreements that would allow for some form of Creative Commons license. He told me his strategy was to work from within to encourage change among publishers. Once again, Damon’s power of persuasion worked.

So, I worked on the article, and just recently submitted it. In the meantime, Damon continued to try to convince Taylor & Francis (on behalf of the entire Editorial Board, and with our full support), that their licensing terms were too confusing and too restrictive. A big part of the argument is that the Taylor & Francis author agreement is a real turn-off for authors and was handicapping the Editorial Board’s ability to attract quality content to the journal. The best Taylor & Francis could come up with was a less restrictive license that would cost authors nearly $3000 per article. The Board agreed that this alternative was simply not tenable, so we collectively resigned. In a sense, the decision was as much a practical one as a political one. Huge kudos to Damon for his persistence, his leadership, and his measured and ethical stance on this issue.

Everyone resigned on Friday. As of the latest updates, the company that publishes the journal, Taylor & Francis had not responded to anyone about the resignations.

Either way, good for this team for taking a stand against such restrictive practices. Hopefully it helps to wake up other journals and publishers that closing off access is no way to run an academic journal.

from the overbroad dept

The EFF has a blog post about a very troubling ruling in a Georgia state court that effectively orders the censoring of an anti-copyright trolling blog including user comments. The blog in question, ExtortionLetterInfo.com, is run by a guy named Matt Chan. He recently took up the cause of people who have been hit by copyright infringement demands from Linda Ellis, a poet who is somewhat infamous for going after lots of people, demanding payments after they posted her sappy poem "the Dash." She apparently threatens people (ridiculously) with the statutory maximum awards of $150,000 per infringement, but will "settle" for a mere $7,500 -- often going after non-profits, charities and churches who want to share the "positive message" of the poem. Yes, she demands $7,500 for posting her poem to a website.

Her actions have been written about and talked about in a wide variety of places online, and when ELI took up the issue, some of the comments got nasty. And apparently, some of the comments made on the ELI site did get pretty aggressive, which is unfortunate. As much as people dislike trolling behavior, there's simply no reason to ever go that far. However, even if the posts went too far, the judge went much further in ordering Chan to remove all mention of Ellis from his site, whether by him or any user.

Respondent is hereby ORDERED to remove all posts
relating to Ms. Ellis. Respondent is hereby enjoined and
restrained from doing or attempting to do, or threatening to do
any act constituting a violation of O.C.G.A- §§ 16-5-90 et seq.
and of harassing, interfering, or intimidating the Petitioner or
Petitioner's immediate family. Any future acts committed by the
Respondent towards the Petitioner which are in violation of this
statute and this Protective Order can amount to AGGRAVATED
STALKING, pursuant to O.C.G.A. § 16-5-91, which is a felony. A
person convicted of Aggravated Stalking shall be punished by
imprisonment for not less than one nor more than ten years and
by a fine of not more than $10,000.00

As the EFF points out, this order goes way, way too far by violating a variety of existing laws and the First Amendment.

Removing "all posts relating to Ms. Ellis" is neither narrowly tailored nor the least restrictive means of addressing any true threats. It fails the First Amendment test because of the collateral damage: it will take down constitutionally-protected criticism of the copyright troll and her demands for money. For example, Ellis complained that "there were vile posts of blasphemy." While blasphemy is doubtless offensive to Ellis, it remains protected speech.

The Georgia Court's overreaching order against Chan also contradicts federal law because it holds a service provider to account for users' posts. Section 230 protects websites that host content posted by users, providing immunity for a website from state law claims (including criminal law) based on the publication of "information provided by another information content provider."

The court, incorrectly, insists that because Chan has the ability to remove posts, he is obligated to do so.

As the owner and operator of the site, Respondent has the ability
to remove posts in his capacity as the moderator. However,
Respondent chose not to remove posts that were personally
directed at Ms. Ellis and would cause a reasonable person to
fear for her safety. Because the Respondent's course of conduct
was directed at Ms. Ellis through the posted messages and
information relating to Ms. EIlis, and the conduct was intended (and in fact did) create fear and intimidation in the Petitioner.

Except, as the EFF reminds us, under section 230, there is no duty to remove content and no liability for failing to remove that content even if you can. In the famous Zeran case, the court clearly held:

[L]awsuits seeking to hold a service liable for its exercise of a publisher's traditional editorial functions – such as deciding whether to publish, withdraw, postpone or alter content – are barred. The purpose of this statutory immunity is not difficult to discern. Congress recognized the threat that tort-based lawsuits pose to freedom of speech in the new and burgeoning Internet medium.

As the EFF post notes, this does not mean that those who said illegal things are not liable, but "the responsibility lies with the speaker." Having the court issue such a broad order barring speech and pinning the blame on the site for statements of users goes beyond what the law allows.

from the add-value,-don't-take-it-away dept

It's really incredible how many bad strategies legacy companies come up with in trying to compete with the internet. Rather than increasing their own value and figuring out ways to leverage that value, they often go in the other direction and make the experience worse. Case in point, this store in Australia that is so fed up with people shopping in the store, but then buying online that it's now charging people $5 as they enter just to look around. If you buy something, the $5 counts towards the purchase. If you don't, the store keeps it.

In case you can't read it, the sign says:

As of the first of February, this store will be charging people a $5 fee per person for “just looking.”

The $5 fee will be deducted when goods are purchased.

Why has this come about?

There has been high volume of people who use this store as a reference and then purchase goods elsewhere. These people are unaware our prices are almost the same as the other stores plus we have products simply not available anywhere else.

This policy is line with many other clothing, shoe and electronic stores who are also facing the same issue.

I can understand where the thought process to do something like this comes from. For years, of course, we've heard things about how Best Buy has basically become Amazon's showroom. But this is the exact wrong response. Rather than showing ways to add more value to the customer experience so they want to come in, they're taking away value and giving customers reasons to never go in in the first place. That's a stunningly short-sighted way of running a business. The people who were coming in, seeing what was there and then ordering online aren't suddenly going to start paying you for stuff anyway. They'll keep shopping online. But, on top of that, some existing customers who are used to buying will be turned off by this and also switch to buying online.

In fact, this seems to be screaming out "hey, you get better deals online and we know it!" Not smart.

Instead of doing that, why not look for ways to add value? For a specialist store like this, they could create all sorts of additional value, including more support in helping customers find what they need, the ability to offer bundles and recipes, cooking classes and much much more. The focus should be on using the local store to provide more value rather than taking away reasons to shop there.

from the why-would-they-do-this? dept

On Monday, we broke the news of the House Judiciary Committee circulating a terrible bill that would make the Computer Fraud and Abuse Act (CFAA) much worse, rather than better. It would expand definitions and make it even easier for the Justice Department to go after people for harmless activity. In fact, even the part we originally thought might fix one of the worst parts of the CFAA actually makes it worse.

Now that the bill has been out a few days, various experts on the CFAA are scratching their heads about why the House Judiciary Committee is even bothering with this draft bill. As Orin Kerr notes, this seems to be a basic rehash of the DOJ's attempt 2 years ago to expand the CFAA. He suggests (and we agree) that the Judiciary Committee stop taking DOJ language from 2011 and start dealing in the present, and deal with the very real problems with the CFAA, and not just with a DOJ who wants more power.

They’re looking for feedback, so here is mine: Stop taking DOJ’s language from back in 2011 and packaging it as something new. Based on a quick read, it seems that the amendments for 1030 in the new draft are mostly copied from a bill that Senator Leahy offered (with substantial input from DOJ, as I understand it) back in November 2011. I criticized that language here. The new circulating draft also adopts the sentencing enhancements (minus mandatories) and the proposed 1030a that DOJ advocated in May 2011. I criticized that initial DOJ language here. (There’s also a breach notification provision in the new language, but I haven’t followed that issue closely; I don’t know if that proposal is also based on old language.)

[....] This language is really, really broad. If I read it correctly, the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions. It would make it a felony crime for anyone to violate the TOS on a government website. It would also make it a federal felony crime to violate TOS in the course of committing a very minor state misdemeanor. If there is a genuine argument for federal felony liability in these circumstances, I hope readers will enlighten me: I cannot understand what they are.

Of course, when we brought up similar examples in our original post, people said we were overreacting. Hmm. Meanwhile Paul Rosenzweig, the former Deputy Assistant Secretary for Policy at Homeland Security is similarly stumped by the direction of the reform.

My quick review and reaction to this bill is that it seems to answer most of what the Department of Justice wants with very little for the internet online community in return. Most notably the bill would make violations of the CFAA predicate acts for a RICO criminal charge — what this means is that if you engage in just two instances of violating the CFAA, then you are engaged in a pattern of racketeering, with substantial criminal penalties and .. .since the criminal definitions translate directly to civil liability .. a very significant possibility of a “bet the company” civil suit. Not a move designed to foster innovation, I think.

Hopefully, the House Judiciary Committee goes back to the drawing board on this, and takes a closer look at things like Aaron's Law, which is being developed to cut back on the excesses of the CFAA, rather than expand them.

from the new-new-thing,-or-old-new-thing? dept

Techdirt has been following the rapid rise and current problems of the various Pirate Parties in Europe for some time. Both their success and difficulties flow in part from the fact that they do not fit neatly into the traditional political categories. This makes them attractive to those who are disenchanted with established parties, but also makes it hard for Pirate Parties to devise a coherent political program that they can seek to implement, for example through alliances with others.

An interesting question is whether the Pirate Party is a one-off, or part of a larger movement away from traditional party lines towards a different kind of politics -- specifically one that recognizes the central importance of the Internet in modern life. That's just been answered by the appearance of a new party in Brazil, as reported by Global Voices:

A former Brazilian presidential candidate and famous environmentalist is leading the charge for the creation of a new political party in the country, one that seeks to use the Internet as a tool for action on sustainability issues.

Former Brazilian Environment Minister Marina Silva officially launched her Sustainability Network in the capital Brasilia on 16 February, 2013, to a crowd of around 1,700 people, including supporters, founders and ideologues. The network aims to collect the required 500,000 signatures by September 2013 to become legally recognised as a political party.

What's interesting here is that the new party seems to draw on both traditional Green policies, with their emphasis on sustainability, and key ideas of the Net-based Pirate Party. For example, the idea of a network is central to the new party, as its name -- "Sustainability Network" -- makes clear. The party's manifesto (original pdf in Portuguese) expands on this aspect:

We believe that networks, as a means of aggregation and organization, are an invention of the present that bridges to a better future. The concept of a network is based on a democratic and egalitarian operation that seeks convergences in diversity. It is an instrument against the power of hierarchies that capture democratic institutions and, ironically, makes them their instrument of domination. For it is networked with society that we want to build a new political force, with alliances underpinned by an Ethics of Urgency, having as its aim the construction of a new model of development: sustainable, inclusive, egalitarian and diverse.

As the Global Voices article explains, like the Pirate Party in Europe, the new Sustainability Network is already coming under fire for its unusual platform. It will be interesting to see whether it can use the Internet to collect the signatures it needs in order to become a formal party -- and what happens afterwards.